Title: security – Make WordPress Community

---

#  Tag Archives: security

 [  ](https://profiles.wordpress.org/iandunn/) [Ian Dunn](https://profiles.wordpress.org/iandunn/)
11:36 am _on_ June 10, 2015     
Tags: [Improving WordCamp.org ( 17 )](https://make.wordpress.org/community/tag/improving-wordcamp-org/),
maintenance, [official websites ( 44 )](https://make.wordpress.org/community/tag/official-websites/),
security, [wordcamp.org ( 34 )](https://make.wordpress.org/community/tag/wordcamp-org/)

# 󠀁[Allowing Custom PHP and JavaScript on WordCamp.org](https://make.wordpress.org/community/2015/06/10/allowing-custom-php-and-javascript-on-wordcamp-org/)󠁿

By far the most common request in [the WordCamp.org tools survey results](https://make.wordpress.org/community/2015/06/10/wordcamp-org-tools-survey-results)
was for the ability to write custom PHPPHP PHP (recursive acronym for PHP: Hypertext
Preprocessor) is a widely-used open source general-purpose scripting language that
is especially suited for web development and can be embedded into HTML. [https://www.php.net/manual/en/index.php](https://www.php.net/manual/en/index.php)
and JavaScriptJavaScript JavaScript or JS is an object-oriented computer programming
language commonly used to create interactive effects within web browsers. WordPress
makes extensive use of JS for a better user experience. While PHP is executed on
the server, JS executes within a user’s browser. [https://www.javascript.com](https://www.javascript.com/).
This is definitely understandable, because being limited to only modifying CSSCSS
CSS is an acronym for cascading style sheets. This is what controls the design or
look and feel of a site. does significantly restrict what you can do with your site.

### Why not allow custom PHP and JavaScript?

The reason that this restriction exists is because there would be very serious security
and maintenance implications if we were to open things up.

Security is very hard, even for experienced developers. Everybody makes a mistake
at least occasionally, and many developers don’t realize how often  they do.

There’s no doubt that allowing unreviewed PHP or JavaScript would introduce critical
vulnerabilities, not just to WordCamp.org, but to the rest of the WordPress.orgWordPress.
org The community site where WordPress code is created and shared by the users. 
This is where you can download the source code for WordPress core, plugins and themes
as well as the central location for community conversations and organization. [https://wordpress.org/](https://wordpress.org/)
infrastructure as well, and even to regular WordPress sites interacting with the
infrastructure.

WordCamp.org is connected to the rest of WordPress.org in several key ways, and 
the right kind of vulnerability (or combination of vulnerabilities) could allow 
an attacker to do some pretty scary things, like silently stealing password hashes
or authorization cookies. If they targeted someone with commit access to CoreCore
Core is the set of software required to run WordPress. The Core Development Team
builds WordPress., WordPress.org, or a popular pluginPlugin A plugin is a piece 
of software containing a group of functions that can be added to a WordPress website.
They can extend functionality or add new features to your WordPress websites. WordPress
plugins are written in the PHP programming language and integrate seamlessly with
WordPress. These can be free in the WordPress.org Plugin Directory [https://wordpress.org/plugins/](https://wordpress.org/plugins/)
or can be cost-based plugin from a third-party., then the results would be severe.

Of course, we have access controls, monitoring, and other systems in place to minimize
the chance of an attack and mitigate its effectiveness, but the essential threat
is there and can’t be downplayed.

 

### Why not just review custom code before it’s committed?

We just don’t have the resources to review that much code. There are only two developers
who handle the vast majority of the work on WordCamp.org, and both of us also have
responsibilities on other projects. So, we have roughly the equivalent of one full
time developer. There were 80 WordCamps in 2014, and that number grows every year.

Conducting a thorough security audit and code review takes a significant amount 
of time, and simply isn’t possible with the resources we have.

Imagine giving hundreds of developers access to one of your high profile sites, 
or committing to review hundreds of themes and plugins every year while still trying
to build new features and iterate on existing ones.

 

### Other potential solutions

 * Assemble a team of **volunteers **to** review code** – Because of the security
   concerns, any volunteers would need to be very experienced and a trusted member
   of the community, and because of the volume of sites, we would need to have a
   lot of them. I don’t think we’d be able to keep up with the demand, and we’d 
   also be taking those people away from contributing to other projects. It’d be
   much more efficient and make a bigger impact if those people collaborated on 
   projects that could be shared between all camps instead.
 * Let everyone **host their own site** – This is how things were in the early days,
   but we moved to a centralized platform because it was common for domain names
   to expire, or for the current year’s team to be unable to post an announcement
   to the previous year’s site, or for sites to be unmaintained and get hacked, 
   etc. It would also mean that organizers would have to spend extra time setting
   up hosting, and, because of security concerns, anything that requires connecting
   to WordCamp CentralWordCamp Central Website for all WordCamp activities globally.
   [https://central.wordcamp.org](https://central.wordcamp.org) includes a list 
   of upcoming and past camp with links to each. or the WordPress.org infrastructure
   would become much more complicated (e.g., centralized payment requests and ticket
   revenue collections, single sign-on, integration with Profiles.WordPress.org,
   etc).
 * Create each site inside an **isolated, virtual container** – That would require
   a lot of work from the Systems team, who are also very limited on resources, 
   and it would have the same downsides as above, where anything that connects to
   Central or WordPress.org would become much more complicated.
 * Only let **experienced developers** write custom code – The security concerns
   would force us to set the bar very high, and evaluating a developer’s qualifications
   is itself a time-consuming process, so this would only impact a small number 
   of camps. It could also make it appear like certain camps were getting special
   treatment, and lead to hurt feelings when someone who feels like they’re experienced
   enough isn’t accepted.

 

### What makes the most impact?

WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything
related to WordPress. They're one of the places where the WordPress community comes
together to teach one another what they’ve learned throughout the year and share
the joy. [Learn more](https://central.wordcamp.org/about/). sites are tools that
help organizers communicate with attendees. It’s great to have a design the community
can take pride in, and working on the site can definitely be a community-building
experience, but volunteer hours are limited. It’s best to focus on things that will
inspire and connect attendees at the event, rather than making the website perfect.

At the end of the day, attendees will be helped the most by the sessions, workshops,
networking, and contributing that goes on at the event.

The goal of WordCamp.org is to give organizing teams something that works out of
the box and facilitates all of the basic conference services that most WordCamps
need, so that you can spend your limited time on the event, rather than the website
for the event.

 

### Solutions that benefit everyone

Allowing organizers to write custom PHP/JavaScript isn’t the real goal, it’s just
a means to an end; and I think there are better ways to get there.

For the most part, all of our camps have very similar needs, so rather than each
one re-inventing the wheel on their own, it’s much more efficient if we collaborate
on solutions that work for everybody.

[The survey results](https://make.wordpress.org/community/2015/06/10/wordcamp-org-tools-survey-results)
helped us identify the worst pain points with the current tools, and we’re planning
solutions to improve the CSS editing experience, to give more theme/template options
to choose from, and to be able to easily clone another camp’s site instead of having
to start from scratch. The feedback on all of those was that they’d have a huge 
impact on everyone’s ability to create the sites they want.

I think that focusing our time and energy there is going to be much better for everyone
in the long term. If you’d like to help move those projects forward, please check
out [the survey recap](https://make.wordpress.org/community/2015/06/10/wordcamp-org-tools-survey-results)
for next steps.

And if there’s a project that would benefit everybody, but it’s not on that list,
you can always work with the Community Team to build a consensus for it, and organize
a group of developers from local communities to [contribute it](https://plan.wordcamp.org/first-steps/web-presence/contributing-to-wordcamp-org/).
You don’t have to be a developer yourself; many projects need people to organize
everything, create designs, write documentation, perform user testing, etc.

[#improving-wordcamp-org](https://make.wordpress.org/community/tag/improving-wordcamp-org/),
[#maintenance](https://make.wordpress.org/community/tag/maintenance/), [#official-websites](https://make.wordpress.org/community/tag/official-websites/),
[#security](https://make.wordpress.org/community/tag/security/), [#wordcamp-org](https://make.wordpress.org/community/tag/wordcamp-org/)

 * [Login to Reply](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fmake.wordpress.org%2Fcommunity%2F2015%2F06%2F10%2Fallowing-custom-php-and-javascript-on-wordcamp-org%2F%23respond&locale=en_US)

 [  ](https://profiles.wordpress.org/iandunn/) [Ian Dunn](https://profiles.wordpress.org/iandunn/)
10:03 pm _on_ March 5, 2015     
Tags: [accessibility ( 4 )](https://make.wordpress.org/community/tag/accessibility/),
customization, [Improving WordCamp.org ( 17 )](https://make.wordpress.org/community/tag/improving-wordcamp-org/),
[Jetpack CSS Editor ( 4 )](https://make.wordpress.org/community/tag/jetpack-css-editor/),
maintenace, [official websites ( 44 )](https://make.wordpress.org/community/tag/official-websites/),
security, [themes ( 8 )](https://make.wordpress.org/community/tag/themes/), [wordcamp.org ( 34 )](https://make.wordpress.org/community/tag/wordcamp-org/)

# 󠀁[Improving WordCamp.org: Notes from the 2014 Community Summit](https://make.wordpress.org/community/2015/03/05/improving-wordcamp-org-notes-from-the-2014-community-summit/)󠁿

At [the 2014 Community Summit](http://2014.sf.wordcamp.org/community-summit-overview/)
there was a breakout discussion that focused on ways to improve WordCamp.org. You’ll
find the notes from that discussion below, which are being posted here so that the
discussion can continue with the participation of everyone who’s interested (not
just those who were able to make it to the Summit).

Kudos to [@dimensionmedia](https://profiles.wordpress.org/dimensionmedia/) for taking
the notes. It’s impossible to catch everything, though, so if anyone remembers any
ideas or remarks that didn’t get recorded, please post them in the comments (but
please don’t reveal the identity of the person who made the remark, since the Summit
was a [safe space](http://2014.sf.wordcamp.org/community-summit-overview/).)

_* * * *_

Most of the discussion centered around the desire of organizing teams to customize
their site more than they currently can, or making it easier to customize.

The top 5 pain-points of people present at the discussion were:

 * CSSCSS CSS is an acronym for cascading style sheets. This is what controls the
   design or look and feel of a site. Editor
 * Lack of custom JS
 * Lack of accessibilityAccessibility Accessibility (commonly shortened to a11y)
   refers to the design of products, devices, services, or environments for people
   with disabilities. The concept of accessible design ensures both “direct access”(
   i.e. unassisted) and “indirect access” meaning compatibility with a person’s 
   assistive technology (for example, computer screen readers). (https://en.wikipedia.
   org/wiki/Accessibility)
 * Theme Repo Is too small
 * Possibility of crafting default theme

### Customization of WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. 󠀁[Learn more](https://central.wordcamp.org/about/)󠁿. themes

This was more of a passionate subject than you would think. First we discussed best
ways to share code with other WordCamp sites that already have great designs, because
not every camp has access to a designer. Since WordCamp sites only allow CSS as 
custom code, right now it’s a copy/paste process.

We talked about two main areas of customization: design and functionality.

**Design wise,** we talked about how extendable current themes are and maybe aren’t.
We talked about the hacking that needs to be done in certain situations. And we 
talked about having a potential gallery of WordCamp sites that organizers can choose
from – greater availability of choices than what we currently have. Offering themes
that have already been audited by WordPress.comWordPress.com An online implementation
of WordPress code that lets you immediately access a new WordPress environment to
publish your content. WordPress.com is a private company owned by Automattic that
hosts the largest multisite in the world. This is arguably the best place to start
blogging if you have never touched WordPress before. [https://wordpress.com/](https://wordpress.com/)(
but are also available in the WordPress.orgWordPress.org The community site where
WordPress code is created and shared by the users. This is where you can download
the source code for WordPress core, plugins and themes as well as the central location
for community conversations and organization. [https://wordpress.org/](https://wordpress.org/)
repository) might be an easy way to add more choice.

We also talked about maybe making certain large sections of a theme as a widgetWidget
A WordPress Widget is a small block that performs a specific function. You can add
these widgets in sidebars also known as widget-ready areas on your web page. WordPress
widgets were originally created to provide a simple and easy-to-use way of giving
design and structure control of the WordPress theme to the user. to begin to allow
custom HTMLHTML HTML is an acronym for Hyper Text Markup Language. It is a markup
language that is used in the development of web pages and websites. in addition 
to the custom CSS. Or possibly creating more page templates that meet common needs.

**Functionality wise,** we came up with some potential interesting ideas for WordCamp
sites. We talked about how some customizations have come about and been implemented.
And also possibility of allowing WordCamps to experiment with a concept or idea,
and then bring it to the attention of the WordCamp development team, which is by
the way run only by two people and they deserve a ton of praise for that. Some of
the more simple ideas, like commenting for asking questions.

**So our takeaway** was understanding current limitations, primarily for security.
But also allowing flexibility for great designs and concepts for future WordCamps.

Why we disallow custom PHPPHP PHP (recursive acronym for PHP: Hypertext Preprocessor)
is a widely-used open source general-purpose scripting language that is especially
suited for web development and can be embedded into HTML. [https://www.php.net/manual/en/index.php](https://www.php.net/manual/en/index.php)
code: every single pluginPlugin A plugin is a piece of software containing a group
of functions that can be added to a WordPress website. They can extend functionality
or add new features to your WordPress websites. WordPress plugins are written in
the PHP programming language and integrate seamlessly with WordPress. These can 
be free in the WordPress.org Plugin Directory [https://wordpress.org/plugins/](https://wordpress.org/plugins/)
or can be cost-based plugin from a third-party. would have to be maintained forever
and also looked over to make sure the code is secure. If there was a security vulnerability
on WordCamp.org, then that would put WordPress.org in a position to be hacked, since
they’re connected. We also try to create solutions that work for all WordCamps, 
rather than just a single camp doing something on their own. Contributions can be
[made to the Meta trac](http://plan.wordcamp.org/first-steps/web-presence/contributing-to-wordcamp-org/)
and integrated for all WordCamps to use.

### Miscellaneous

 * We also discussed perhaps converting each site to static HTML after the camp 
   is over, which would allow us to remove the burden of constantly maintaining 
   plugins. Maybe use commenting for archives.

 * MailPoet has the ability to integrate with WordPress, providing basic functionality
   that could be useful for other WordCamps. CampTix has some MailChimp integration;
   it collects stats, and delivers information back to WordCamp.org. We want to 
   own that data, not a third-party.

 * Sessions might be extended be custom post types.

So say we all.

_* * * *_

After the Summit, @ryelle built a prototype for a way to easily clone another WordCamp’s
CSS and other visual elements, to help organizing teams get a quick start on their
own site. Kelly, could you please post that code to MetaMeta Meta is a term that
refers to the inside workings of a group. For us, this is the team that works on
internal WordPress sites like WordCamp Central and Make WordPress. TracTrac Trac
is the place where contributors create issues for bugs or feature requests much 
like GitHub.[https://core.trac.wordpress.org/](https://core.trac.wordpress.org/).,
so that everyone can check it out and collaborate on it? A couple screenshots in
the comments would be awesome too, for those who aren’t developers.

I’ve also spent some time thinking about how we could improve the CSS-editing experience,
but that’s a big enough topic that it warrants a separate discussion, so I’ve started
[another post](https://make.wordpress.org/community/2015/03/05/improving-wordcamp-org-user-experience-of-the-css-editor)
for that.

If you have any thoughts on anything mentioned above, or have an idea to improve
WordCamp.org that hasn’t been mentioned yet, please post it in the comments 🙂

 

Everyone is encouraged to particpate in the discussion, but I’m pinging the people
who took part in the original discussion to make sure they don’t miss the post: 
@ryelle, [@harbormark](https://profiles.wordpress.org/harbormark/), [@chanthaboune](https://profiles.wordpress.org/chanthaboune/),
[@nvwd](https://profiles.wordpress.org/nvwd/), [@kovshenin](https://profiles.wordpress.org/kovshenin/),
[@rafaehlers](https://profiles.wordpress.org/rafaehlers/), [@davidjlaietta](https://profiles.wordpress.org/davidjlaietta/),
[@dimensionmedia](https://profiles.wordpress.org/dimensionmedia/), [@mj12982](https://profiles.wordpress.org/mj12982/),
[@iandstewart](https://profiles.wordpress.org/iandstewart/), [@miss_jwo](https://profiles.wordpress.org/miss_jwo/),
[@topher1kenobe](https://profiles.wordpress.org/topher1kenobe/)

[#accessibility](https://make.wordpress.org/community/tag/accessibility/), [#customization](https://make.wordpress.org/community/tag/customization/),
[#improving-wordcamp-org](https://make.wordpress.org/community/tag/improving-wordcamp-org/),
[#jetpack-css-editor](https://make.wordpress.org/community/tag/jetpack-css-editor/),
[#maintenace](https://make.wordpress.org/community/tag/maintenace/), [#official-websites](https://make.wordpress.org/community/tag/official-websites/),
[#security](https://make.wordpress.org/community/tag/security/), [#themes](https://make.wordpress.org/community/tag/themes/),
[#wordcamp-org](https://make.wordpress.org/community/tag/wordcamp-org/)

 * [Login to Reply](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fmake.wordpress.org%2Fcommunity%2F2015%2F03%2F05%2Fimproving-wordcamp-org-notes-from-the-2014-community-summit%2F%23respond&locale=en_US)